from the because-we're-the-us-gov't-dammit dept

Last month, we wrote about Microsoft challenging the DOJ's attempt to use the outdated Electronic Communications Privacy Act (ECPA) to go fishing for emails held overseas. As Microsoft rightly noted, a warrant does not apply overseas. A magistrate judge tried to dance around this, saying that a warrant under ECPA is really kinda like a subpoena. But Microsoft points out how insane that is:

This interpretation not only blatantly rewrites the statute, it reads out of the Fourth Amendment the bedrock requirement that the Government must specify the place to be searched with particularity, effectively amending the Constitution for searches of communications held digitally. It would also authorize the Government (including state and local governments) to violate the territorial integrity of sovereign nations and circumvent the commitments made by the United States in mutual legal assistance treaties expressly designed to facilitate cross-border criminal investigations. If this is what Congress intended, it would have made its intent clear in the statute. But the language and the logic of the statute, as well as its legislative history, show that Congress used the word "warrant" in ECPA to mean "warrant," and not some super-powerful "hybrid subpoena." And Congress used the term "warrant" expecting that the Government would be bound by all the inherent limitations of warrants, including the limitation that warrants may not be issued to obtain evidence located in the territory of another sovereign nation.

Overseas records must be disclosed domestically when a valid subpoena, order, or warrant compels their production. The disclosure of records under such circumstances has never been considered tantamount to a physical search under Fourth Amendment principles, and Microsoft is mistaken to argue that the SCA provides for an overseas search here. As there is no overseas search or seizure, Microsoft’s reliance on principles of extra-territoriality and comity falls wide of the mark.

A bunch of tech and telco companies have all jumped into the case on Microsoft's side as well, noting that the DOJ's argument would almost certainly violate data privacy laws in other countries, not to mention piss off governments around the globe. The crux of the argument, as per usual with the DOJ, is that when it wants data, it will twist and twist and twist the laws to enable it to get access to as much data as possible, with as little scrutiny as possible. This is just one of many reasons why we need serious ECPA reform -- such that it actually respects the 4th Amendment. But, in this case, it would be nice to have a judge realize that even under such an outdated law, the DOJ's interpretation is simply out of line.

from the bad-decision dept

A few weeks ago, we wrote about how Malibu Media was up to its old tricks again, demanding six strikes data from Comcast as part of its evidence gathering for its copyright trolling. Apparently, no one fought the request, so a magistrate judge has granted Malibu Media's request and told Comcast to comply with the forthcoming subpoena. When the six strikes plan was first put into place, many people worried that the information from it would be used in lawsuits, but people hadn't realized that it might also get abused by copyright trolls. All the more reason to question whether or not such a program is a good idea. When you have a system that allows "strikes" to be issued with no due process at all, which can then be used by a company currently responsible for 40% of all copyright lawsuits -- nearly all of which they're really using to shake down settlement fees -- it should make you wonder if the six strikes program is really such a good idea.

Here's a link to the photo which kicked off the unlikely chain of events. It depicts two green-clad people, presumably of consenting age, expressing their love in a physical manner. Needless to say, probably, very definitely NSFW.

Redditor un1cornbl00d received notice from Reddit that the Delaware DOJ had served a subpoena demanding the platform turn over his personal information, along with "all posts, responses and their content" related to the original submission. (Found here, with comments now deleted).

The good news is that Reddit's privacy policy (which states that it will inform users that their information has been requested unless prohibited by a court order) trumps the ridiculous phrase the state DOJ deploys in all caps mid-subpoena.

*DO NOT NOTIFY CUSTOMER*

PLEASE DO NOT DISCLOSE OR NOTIFY THE USER OF THE ISSUANCE OF THIS SUBPOENA. DISCLOSURE TO THE USER COULD IMPEDE AN INVESTIGATION OR OBSTRUCT JUSTICE.

Well, if you seriously believe an investigation might be "impeded" or "obstructed," you might want to put with more legal weight than a caps lock key behind it. Most court orders don't say "please," and most court orders point out the legal reasons for the demand. This subpoena tries to demand compliance with shouty typing.

Apparently, this is the way things are done at Joe Biden Jr.'s office. Another subpoena sent late last year demanding that Facebook turn over information on the "owner" of a small (~300 likes at the time subpoena was issued) page with an anti-government slant contained similar all-caps demands for keeping everything a secret… which was also ignored.

*SUBSCRIBER IS NOT TO BE NOTIFIED OR MADE AWARE OF THIS INVESTIGATION*

So, why would a "special investigator" at the state DA's office be interested in a tossed-off comment on a photo of two people having sex out in the open? Well, as far as anyone can theorize, whoever's monitoring social media for the Delaware DOJ (or the entities that feed into it) must have thought unic0rnbl00d was the rarest of creatures on the internet: someone who only tells the truth, and if so, was hoping to bust his "sister" (and possibly Joe Random Stranger as well). Quotes from police "investigating" the sex that two (probably inebriated) people momentarily enjoyed confirm that the force was indeed looking to slap these two with some sort of charge. (Link contains photo -- NSFW)

[T]he police are investigating the pair on suspicion of lewd conduct. A Newark Police spokesman said the couple was "engaging in sexual intercourse in public in plain view of numerous passersby."

Why the hell the state is so interested in punishing people for consensual acts performed in the past is beyond me, other than that pervasive belief that the word "justice" means no one getting away with anything ever. I would think whatever nearly-nonexistent tarnishing of state pride would pale in comparison to the state now being viewed as overreaching busybodies after sending subpoenas to track down an internet commenter and targeting people engaged in First Amendment activities. The latter subpoena is vastly more concerning, as it shows the state attempting to sniff out people with anti-government sentiments. Sure, the page may contain the word "riot," but the full title of the group is "Peaceful Rioters For Wilmington, Delaware."

Again, these may not be signs of active social media monitoring, but this sort of behavior certainly doesn't reflect well on those in the Delaware law enforcement community. I can only assume the state has run out of real crime or other pressing issues and is now just creating busywork for its special investigators.

from the going-to-be-an-important-fight dept

Back in April, we wrote about a magistrate judge ruling that Microsoft had to comply with a warrant asking for data that was held on servers in Dublin. Microsoft argued, quite reasonably, that a US warrant doesn't apply outside of the US. Unfortunately, magistrate judge James Francis disagreed, saying that while it's true that traditional warrants only apply inside the US, this is different because it's "digital." He argued that because the issue was about information, rather than physical property, it could be considered more like a subpoena than a warrant. As we noted, Microsoft made it clear that it would challenge this ruling, and now it has done so, arguing that the ruling flies in the face of the law and the Constitution. This summary from Microsoft's filing is pretty clear on what an incredibly big deal this is, with the government basically seeking to get the best of a subpoena and a warrant without any of the protections and limits required of either:

The Magistrate Judge issued a warrant under the Electronic Communications Privacy Act ("ECPA")
that on its face, purports to authorize the Government to search any and all of Microsoft's facilities worldwide. Microsoft moved to vacate the warrant because the private email
communications the Government seeks are located in a Microsoft facility in Dublin, Ireland and
because Congress has not authorized the issuance of warrants that reach outside U.S. territory.
The Government cannot seek and a court cannot issue a warrant allowing federal agents to break
down the doors of Microsoft's Dublin facility. Likewise, the Government cannot conscript Microsoft to do what it has no authority itself to do -- i.e., execute a warranted search abroad. To
end-run these points. the Government argues, and the Magistrate Judge held, that the warrant required by ECPA is not a "warrant" at all. They assert that Congress did not mean "warrant"
when using that term, but instead meant some previously unheard of "hybrid" between a warrant
and subpoena duces tecum. The Government takes the extraordinary position that by merely
serving such a warrant on any U.S.-based email provider, it has the right to obtain the private
emails of any subscriber, no matter where in the world the data may be located. and without the
knowledge or consent of the subscriber or the relevant foreign government where the data is
stored.

This interpretation not only blatantly rewrites the statute, it reads out of the Fourth
Amendment the bedrock requirement that the Government must specify the place to be searched
with particularity, effectively amending the Constitution for searches of communications held
digitally. It would also authorize the Government (including state and local governments) to violate the territorial integrity of sovereign nations and circumvent the commitments made by the United States in mutual legal assistance treaties expressly designed to facilitate cross-border
criminal investigations. If this is what Congress intended, it would have made its intent clear in
the statute. But the language and the logic of the statute, as well as its legislative history, show
that Congress used the word "warrant" in ECPA to mean "warrant," and not some super-powerful "hybrid subpoena." And Congress used the term "warrant" expecting that the Government would be bound by all the inherent limitations of warrants, including the limitation that
warrants may not be issued to obtain evidence located in the territory of another sovereign nation.

The Government's interpretation ignores the profound and well established differences
between a warrant and a subpoena. A warrant gives the Government the power to seize evidence
without notice or affording an opportunity to challenge the seizure in advance. But it requires a
specific description (supported by probable cause) of the thing to be seized and the place to be
searched and that place must be in the United States. A subpoena duces tecum, on the other
hand, does not authorize a search and seizure of the private communications of a third party. Rather. it gives the Government the power to require a person to collect items within her possession, custody, or control, regardless of location, and bring them to court at an appointed time. It also affords the recipient an opportunity to move in advance to quash. Here, the Government
wants to exploit the power of a warrant and the sweeping geographic scope of a subpoena, without having to comply with fundamental protections provided by either. There is not a shred of support in the statute or its legislative history for the proposition that Congress intended to allow the Government to mix and match like this. In fact, Congress recognized the basic distinction
between a warrant and a subpoena in ECPA when it authorized the Government to obtain certain
types of data with a subpoena or a "court order," but required a warrant to obtain a person's most
sensitive and constitutionally protected information -- the contents of emails less than 6 months
old.

Verizon has stepped in as well, pointing out that if the original ruling is allowed to stand, it could have significant negative impact on the ability of US businesses to get non-US users to trust them -- an increasingly important issue in light of the Snowden revelations.

The magistrate’s ruling, if left standing, could cost U.S. businesses billions of dollars in lost
revenue, undermine international agreements and understandings, and prompt foreign
governments to retaliate by forcing foreign affiliates of American companies to turn over the
content of customer data stored in the United States.

The recent revelations about U.S. intelligence practices have heightened foreign
sensitivities about the U.S. government’s access to data abroad, generated distrust of U.S.
companies by foreign officials and customers, and led to calls to cease doing business with U.S.
communications and cloud service providers. Studies have estimated that this distrust will result
in tens of billions of dollars in lost business over the next few years. The magistrate’s ruling, if
left standing, will dramatically increase the harm to American businesses. It would mean that
foreign customers’ communications and other stored data would be available to hundreds or
thousands of federal, state, and local law enforcement agencies, regardless of the laws of the
countries where the data is held. Foreign customers will respond by moving their business to
foreign companies without a presence in the United States.

If you hadn't figured it out by now, this case is going to have tremendously important ramifications for privacy around the globe.

The Department of Veterans Affairs' in-house watchdog has demanded that the Project On Government Oversight turn over all information it has collected related to abuses and mismanagement at VA medical facilities, according to a subpoena delivered to POGO May 30.

The subpoena from the VA Office of Inspector General demands all records POGO has received from current or former VA employees, as well as any other individuals, including veterans. The subpoena asks for records related to "wait times, access to care, and/or patient scheduling issues at the Phoenix, Arizona VA Healthcare System and any other VA medical facility."

While on one hand, the information the IG is seeking is exactly the sort of data it needs to complete its investigation, the larger issue is the subpoena's potential to undermine the confidentiality promised to whistleblowers who submitted documents through POGO's VAOversight.org website. Nearly 700 people have turned over information to POGO's secure dropbox since the site's launch in early May. POGO advised submitters to take steps to maintain their anonymity when submitting (using TOR, not submitting docs from work phones, computers or fax machines, etc.) and all submissions were sent as encrypted messages.

Now, with a simple administrative subpoena -- one that isn't even signed by a judge -- all of this protection is being removed. Anyone who failed to take preventative measures, or might be traced back via other means, can now be exposed by the IG's efforts.

The current administration talks a lot about transparency and the importance of whistleblowers in keeping the government in line, but its actions have completely contradicted its spoken assurances. This administration has prosecuted more whistleblowers than all other administrations combined. Those who may be swept up by the IG's investigation include many who tried to alert the government of the VA's problems through proper channels, but turned to a third party when their grievances went unanswered.

Our unwillingness to comply with the subpoena is consistent with our long history of protecting sources who come to our organization. POGO has consistently refused to turn over information and/or records about our sources, investigations, and practices when government agencies, Congress, and parties in civil and administrative cases made such requests, including requests made pursuant to a subpoena. POGO has always taken the position that the First Amendment protects POGO's right to protect the whistleblowers, sources, and insiders who come to us with information or assist in POGO’s investigations.

The letter further points out that there's little reason to believe that the Inspector General doesn't already have access to the sort of information its seeking.

The IG's office has provided no basis to suggest that the information possessed by POGO as a result of its investigation of the VA is not already available to the IG, including through the VA IG "hotline." Accordingly, the administrative subpoena is little more than an invasive fishing expedition.

Edward Snowden, along with many others, has said that the best tool right now to defeat the NSA and other government spying is the use of encryption. It is possible that some forms of encryption are not breakable by the NSA. It is likely that breaking other forms of encryption is slow and/or expensive to do on a world wide web-scale. It is a race of course, between how many supercomputing algorithms the NSA can throw at the problem and the cleverness of the people creating new forms of better encryption.

If the government can access documents and information with a simple piece of paper– a subpoena– then all the encryption in the world is pointless.

This is part of the government's interpretation of the Third Party Doctrine, one that has made the Fourth Amendment almost completely useless.

DOJ has turned all that around. It claims now that under the Fourth Amendment, it can subpoena an Internet company such as Facebook and demand they look for and turn over all the records they have about Mr. Anderson. DOJ isn’t searching, per se– they are demanding Facebook do that for them, so no warrant is needed. Worse yet, DOJ believes it can subpoena multiple records, maybe all the records something like Facebook has, with one piece of paper. The same thing applies, DOJ claims, to email. If they came to someone’s home and demanded access to that person’s emails, it would require a specific search warrant. Instead, if DOJ issues a subpoena to say Google, they can potentially vacuum up every Gmail message ever sent.

So, while encryption may stymie the interception of communications, it doesn't do much good when the government arrives with a piece of paper asking for the unencrypted end result of these communications, especially one that is self-issued by the Inspector General with no additional legal scrutiny. POGO encrypted submissions but the IG's subpoena asks for everything its collected in unencrypted form ("fully legible and complete copies of the records"). The assurances given to anonymous whistleblowers by POGO are as meaningless as the assurances given to users of Lavabit's encrypted email service. The government doesn't mind much if you encrypt the "middle," because it can always just ask for stuff at either end.

from the extreme-obnoxiousness dept

A year ago, we wrote about the ridiculous situation of a company called Personal Audio, which claimed to have a patent that covered podcasting and had started going after a bunch of the top podcasters, including Adam Carolla and How Stuff Works. The patent in question, 8,112,504, was for an attempt to deliver news on audio cassettes. The patent itself is exceptionally broad and ridiculous. It never should have been granted. Even if it was legit, the idea that it has anything to do with podcasting is simply ridiculous. Last summer, NPR's Planet Money had a good episode all about this patent, in which the lawyer and the patent holder made some ridiculous claims, pretending that this patent was "the roadmap" that taught people how to podcast.

The good folks at EFF started a "save podcasting campaign" and raised some money, which they used to file a challenge against the patent at the Patent Office. That process is still ongoing, but it appears that Personal Audio and its lawyer have decided to go to war with the EFF and its donors, trying to intimidate them. In one of its lawsuits over the patent (completely unrelated to the challenge at the USPTO), Personal Audio sent a subpoena to EFF demanding a whole bunch of stuff, including identifying information on everyone who donated to the campaign. Here's the full list of what they're actually asking for:

Any communications between the EFF and Defendants specifically Concerning the '504
patent, including but not limited to the construction of any claim terms and any alleged
prior art relevant to any claim of the patent.

Any communications between the EFF and any actual or potential witness specifically
Concerning the '504 patent or prior art to the '504 patent.

Any communications between the EFF and any third parties specifically Concerning the
'504 patent, including but not limited to any communications with the Cyberlaw Clinic at
the Harvard University Berkman Center for Internet and Society, Julie Samuels, Mark
Cuban, RPX, Article One Partners, Mark Lemley, Durie Tangri Page Lemley Roberts &
Kent LLP, the Open Innovation Network, StackExchange, Google, Inc and/or their
representatives, agents or counsel.

Any non-privileged communications regarding the prior art cited in any proceedings in
the Patent and Trademark Office Concerning the '504 patent.

All fundraising activities in connection with the proceedings in the Patent and Trademark
Office specifically Concerning the '504 patent, including but not limited to the
Identification of the names of all Persons who donated or contributed and Identification
of the amounts contributed by each Person, as well as the Identification of any promised
contributions which have not been received yet as well as the Persons who promised such
contributions and the amount thereof.

All steps taken in order for the EFF to be "fully prepared" to take on Personal Audio with
respect to the '504 patent.

Identification of any Information Concerning any prior art (whether or not included in
any Patent and Trademark Office proceeding) that would tend to show either: (1) the art
did not disclose any element of the claims of the '504 patent or (2) the art was not
demonstrably available prior to any filing date of the '504 patent.

Any nonprivileged analysis or Communications Concerning the following: (1) the claims
of the '504 patent; (2) any prior art to the '504 patent; and (3) the meaning or
construction of any of the terms in the claims of the '504 patent.

EFF is fighting the subpoena, arguing a variety of points about how this goes way beyond any reasonable effort. It's not just seeking information totally irrelevant to the case, but it's trying to get EFF to disclose private information about individuals, violating their First Amendment rights of association. As the EFF notes in its blog post about this:

We believe that Personal Audio’s subpoena to EFF is improper for a number of reasons that are laid out in detail in our motion. Above all, we are outraged that Personal Audio is seeking to invade the privacy and associational rights of hundreds of our donors. EFF takes the privacy of its members and supporters extremely seriously—and so does the Constitution. As we explain in our motion, the First Amendment protects our donors’ right to privacy, and Personal Audio’s supposed need for the information does not trump those rights.

Personal Audio’s tactic is also improper for several other reasons. For example, it is appears to be primarily intended to avoid the well-defined limits of the PTO discovery process. The petition we filed follows a new, streamlined and therefore relatively inexpensive process. Rather than respond to that petition following the rules of that process, Personal Audio is trying to use entirely separate litigation as an excuse to raise the stakes on EFF – something Congress never intended. If Personal Audio succeeds, we fear it will send a message that this new process can be made invasive, cumbersome and expensive after all, which will in turn discourage others from using it to challenge low quality patents. That would be a shame for all of us.

Beyond that, this seems like a clear attempt by Personal Audio to intimidate both EFF and its donors -- though if they were even remotely aware of the EFF and its backers, they should have known how badly that plan would backfire. Hopefully the court will rightfully quash the subpoena and, perhaps, make it clear to Personal Audio's lawyer, Jeremy Pitcock, that this is totally improper.

from the wow dept

Following the DOJ's brazen collection of info on AP reporter phone calls, we noted that it was not the first time the DOJ had been overly aggressive in going after reporters. Now, the Washington Post has another horrifying story, talking about the DOJ's investigation into a leak from the State Department to Fox News concerning classified info on North Korea. That investigation resulted in charges against Stephen Jin-Woo Kim, a State Department security adviser, but the investigation included heavy surveillance of James Rosen, the Fox News reporter. They obtained his phone records, security-badge data and email exchanges. In order to get all this, they claimed that Rosen wasn't just a reporter, but "an aider and abettor and/or co-conspirator" in the crime itself. For doing basic reporting.

By now it should be abundantly clear that this has little to do with protecting national security, and everything to do with a war on investigative reporting about the federal government. Almost everything seems to be designed to threaten reporters, and to put the fear of the federal government into any whistle blower who might have information to pass on to a reporter. As people have pointed out, what Rosen did in this case is what any national security reporter does all the time. Others have pointed out that this shatters the basic concept that those who report on the news are protected by the First Amendment in doing so.

The Reyes affidavit all but eliminates the traditional distinction in classified leak investigations between sources, who are bound by a non-disclosure agreement, and reporters, who are protected by the First Amendment as long as they do not commit a crime. (There is no allegation that Mr. Rosen bribed, threatened or coerced anyone to gain the disclosure of restricted information.)

Mark Mazzetti, who covers national security for the New York Times — one of several leading investigative reporters I reached out to today — says he is experiencing a greater reluctance on the part of sources to talk to him.

"There's no question that this has a chilling effect," Mazzetti said. "People who have talked in the past are less willing to talk now. Everyone is worried about communication and how to communicate, and [asking if there] is there any method of communication that is not being monitored. It's got people on both sides — the reporter and source side — pretty concerned."

The end result, of course, is less ability to keep government abuses -- of which there appear to be many -- in check.

from the quashed dept

You may recall that Prenda had (not surprisingly) gone crazy overboard with subpoenas in its attempt to intimidate some anti-copyright troll bloggers and their commenters. The EFF stepped in and asked a court to quash the subpoena, which the court has now done, in large part because Prenda never even bothered to respond.

As
of this date, no responsive memorandum has been filed. LRCiv 7.2(i) provides in part “if the
opposing party does not serve and file the required answering memorandum, ...such
noncompliance may be deemed a consent to the denial or granting of the motion and the
Court may dispose of the motion summarily.” Pursuant to this rule, the Court deems
Plaintiff's failure to serve and file the required answering memorandum a consent to the
granting of Defendant-Movant's Motion to Quash the Subpoena to Wild West Domains
Seeking Identity Information.

I guess Prenda's a bit busy. Or someone there realized this subpoena had zero chance of actually going forward. Either way, the subpoena is dead.

from the what-are-they-smoking? dept

This is rather incredible. We already wrote about Prenda Law's series of defamation lawsuits against commenters on two key blogs that have been instrumental in exposing their shenanigans: FightCopyrightTrolls and DieTrollDie. While John Steele has dismissed his claim, the other two suits are still moving forward as far as I know. And now it's come out that Prenda Law's Paul Duffy sent a ridiculously broad subpoena to Wordpress demanding every IP address of every visitor who has visited either site since the beginning of 2011. Basically, they're looking for everyone who has ever visited either site:

Our client is requesting all Internet Protocol addresses (including the date and time of that access in Universal Coordinated Time) that accessed the blogs located at dietrolldie.com and fightcopyrighttrolls.com between January 1, 2011 through the present. Please provide this information in an Excel spreadsheet.

The subpoena is from Paul Duffy, so it's a bit ridiculous to claim "our client" since he is the client. This seems like a pretty clear abuse of the subpoena process, though, coming from Prenda Law, whose specialty is doing anything it possibly can to get IP addresses, perhaps it's no surprise. The subpoena was issued in association with the original claim that was filed in state court. The cases have all been removed to federal court, and hopefully the lawyers at Wordpress know better than to just cough up this info like that. Even more ridiculously, Duffy tries to claim that this is an "emergency" so they shouldn't waste any time in handing over the info:

Due to the emergency nature of the requested information, it is imperative that your organization responds to the subpoena immediately. The requested information is perishable and vital to the claims asserted in a complaint alleging widespread and systematic defamation.

What hogwash. They're looking for data going back to January of 2011. If Wordpress has logs going back that far, it's not like they're suddenly going to disappear. And, of course, the "widespread and systematic defamation" claims are already pretty questionable.

It's not difficult to look at this and see a likely attempt at creating chilling effects to try to scare people off from visiting those sites. Considering that Prenda has been collecting all sorts of IP addresses in its various copyright trolling lawsuits, can you imagine what they might do if they can cross reference IP addresses of visitors to those sites with the IP addresses they've already sued over?

from the dangerous-ruling dept

Earlier this month, we noted a problematic attempt by Grooveshark's parent company, Escape Media, to subpoena information on an anonymous commenter on the blog site Digital Music News. As we noted at the time, Universal Music had referenced that comment in its lawsuit against Grooveshark. It seemed bizarre to reference an anonymous comment, especially one that seemed like pure hearsay (it made claims about things Grooveshark employees had done). In the lawsuit between UMG and Grooveshark it seemed completely pointless (and, indeed, Grooveshark has been arguing as much in that particular lawsuit). Yet, at the same time, Grooveshark subpoenaed DMN in an attempt to find out who posted that comment. DMN resisted the subpoena, noting that it discards and overwrites its log files every few days anyway, and these files had been long gone already. It also pointed to California's shield law for journalists and the basic First Amendment protections for anonymous speech.

Unfortunately, the judge has ruled against Digital Music News, and ordered it to produce the information. The judge has indicated that he will not require this information during the appeal that DMN's lawyer indicated they would file... but did require "preservation" of the evidence during that time. Beyond the shield law and First Amendment issues raised here (we'll get to those), this raises a very, very troubling proposition for any website that regularly overwrites its log files. Escape Media had argued that even if DMN overwrote the log files, it should be required to hand over the information on the subpoena just in case the overwritten data was still available and could be recovered.

So, what do you do in this situation? Under the judge's order to "preserve" data that has already been deleted, what is a site to do? Do they have to immediately stop using their existing hardware and set up an entire clone -- hanging onto all of the original hardware for who knows how long, just in case a forensics expert can find a tiny piece of (useless for this case anyway) data that has been overwritten probably a hundred times already? That seems crazy. Paul Levy, from Public Citizen, who is representing DMN on this issue, highlighted many of the issues in his blog post about this:

The imposition of data preservation requirements on a journalist who is not a party to the litigation raises questions apart from the merits of the order. Journalists need to be able to discard data when they no longer have any of their own use for it. Yes, “the public has a claim to every man’s evidence,” but don’t members of the public who are not involved in litigation have the right to discard information despite the fact that it might turn out to be useful evidence for somebody else’s case? Does the public have a claim to heroic efforts on every man’s part? Shouldn’t there be higher standards for subpoenas demanding intrusive searches for discarded data in the hands of third parties?

The problem is compounded when it is a journalist that has been subpoenaed. To what extent does society have any entitlement to make journalists in particular take heroic measures, such as searching the nooks and crannies of their computer equipment for fragments of discarded data? The judge was sensitive to the fact that our client here is a journalist, telling Escape Media that he was not prepared to allow it to make any general search of Digital Music News’ computers. But an issue that we may have to pursue on appeal is whether a journalist should ever have to undertake such drastic preservation efforts in aid of a lawsuit in which he is not involved, particularly given the relative unlikelihood that fragments of identifying data remain on his computers somewhere.

Indeed, the problem is broader than just journalists. Companies often keep log files with respect to server visits (and hosted comments), but there is little business justification for keeping those logs forever; so generally speaking they are discarded after a period of time (EFF's best practices recommendations are worth a look in this regard). Does the mere act of discarding log files set a company up for the possibility of a demand for forensic examination of the underlying servers, in the hope that some fragment of the data might be recovered? In this regard, the trial court's order has chilling implications for other California companies, even beyond the issue of journalists.

Issues of how to preserve the data remain to be decided. This is not like just leaving one of your file cabinets untouched for a period of time; it is not even as easy as making sure you don't delete any of your email. Preserving the web site while creating a copy of the underlying servers is a complicated process, requiring the services of a forensic specialist, and the cost could be substantial. The estimates that we have been given are well into the five figures; but even the cost of several thousand dollars would be an enormous imposition on this small company.

It really is quite a difficult issue, and if the ruling stands, could become a massive headache for any company in California.

Separately, we should not ignore the First Amendment and shield law issues. DMN is not a party in this case, and it's not even clear why this information is needed. Escape/Grooveshark can and should point out that the information contained in the comment is pure hearsay so it shouldn't have to deal with it in the original case. The company has not filed a defamation claim against the commenter and does not appear to have met the high bar required to unveil an anonymous commenter anyway. This is a pretty big concern for any journalist or blogger out there. Being dragged into a third party dispute because someone comments on your site can represent a pretty big problem for a lot of smaller sites.

While Grooveshark's legal fight against the major labels certainly raises some interesting copyright questions, it's disappointing to see them going down this path and potentially creating serious problems not just for Digital Music News, but tons of journalists and websites.